Tofinosecurity.com uses cookies for analytics and functionality purposes.
To change your cookie settings or find out more, click here.
If you continue browsing our website or close this banner, you accept these cookies.

Search form

menu-bar

Stuxnet Warfare – The Gloves are Off

Submitted by Eric Byres on Tue, 2012-06-05 21:00

The discovery of the Flame malware last week focused the cyber security world on the sophisticated strikes targeting energy companies in the Middle East. Although Flame’s goal was espionage rather than damaging operations as Stuxnet did, it has been seen as one more indication that the industrial world is now in the bull’s eye of clever attackers.

On the heels of Flame coverage, today David Sanger, the Pulitzer Prize winning Washington correspondent for The New York Times, released his new book “Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power”. Up to now, many writers speculated that the U.S. and Israel collaborated on Stuxnet. This book does not speculate; it builds a strong circumstantial case that these two countries did indeed create and launch Stuxnet against Iran.

While the book does not include named sources or other hard evidence, the information is very plausible. A number of the technical subtleties of Stuxnet are described with unusual accuracy. Dale Peterson has pointed out a number of technical flaws in the New York Times’ article based on the book, but these appear to have been introduced by the New York Times editors, as they are not in the book.

Undoubtedly, there will be other mistakes in a book like this, but the core message seems very plausible – the U.S. and Israel did launch Stuxnet against Iran’s nuclear program.

The Gloves are Off – Cyber Warfare is in the Open

Up until now Iran couldn’t be sure who created Stuxnet, so it might have held back from launching a counter attack. (Of course countries don’t always wait for definitive proof before taking military action. The U.S. invasion of Iraq is an example of this.)

Now, true or not, both the book and the New York Times story based on it, have made it difficult for the U.S. Administration to deny it was behind the Stuxnet attacks. So far the U.S. Administration has remained silent.

This means that the gloves are off. Cyber warfare has moved from “you don’t ask and we don’t tell” to open aggression between countries.

”The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.”

Does this now give Iran the right to respond with a military option?

Cyber Strikes are on the Minds of many World Leaders

At the recently concluded ISS Asia Security Summit, the UK Minister of State for the Armed Forces, Nick Harvey, commented:

“Pre-emptive cyber strikes against perceived national security threats are a "civilised option" to neutralise potential attacks”.

At the same conference, Malaysian Defence Minister Ahmad Zahid Hamidi said a cyber arms race was already under way:

“What remains disturbing is that cyber warfare need not to be waged by state-run organisations but could be conducted by non-state entities or even individuals with intent to cause disruptions to the affairs of the state,” he added.

Implications for Critical Infrastructure Providers

The likely targets of cyber attacks aimed at nation states are energy, water and transportation systems. If your facility is in these sectors, you now have more urgency than ever to make sure that your facility is following robust cyber security practices.

What do you think of Sanger’s assertion that the U.S. and Israel are behind Stuxnet? Is it plausible? What does it mean for your company’s cyber security practices, especially if you are in a critical industry?

Comments

There are not a lot of positives associated with advancing the topic to this stage. However, among perhaps the most surprising aspects it that it has taken so long to happen.

Perhaps the first time I began deeply pondering the topic was about 20 years ago after talking with an oil facility at a show during the early firewall market. At the time I wondered how far along that particular countdown had moved to date, or whether the launch had already passed unnoticed.

Despite the current spirit of revelation ("I'm shocked - shocked! - to find gambling going on here!"), I still wonder when this rocket actually left the pad.

About the most surprising part of all of this is that it is 2012, and we are only having this conversation now. Is it possible that we could have held off having this discussion until 2013? 2015?

Maybe, maybe. Hard to imagine, though, in a world where we are as likely as not to be one book away from the equally shocking revelation that China has not been passively aggressive in their application of similar techniques. We may all rest well assured that Canada is not going to be actively aggressive (beyond parenthetical digs ;~), but to assume that every other nation will cleave to the same behavior forever is unrealistic.

This does in fact open a can of worms in the US that we are not ready to deal with. From a future retrospective perspective, though, we may find that we have reason to wonder if we would have been ready sooner or rather later without it.

Without Stuxnet Newsfest Part One in 2010, would there have been more or less resource put into ICS cybersecurity to date? Without Duqu and Flame and Brian's book would governments and private entities be putting more or less emphasis on fixing a problem that has only gotten more dire every year?

Like many traumatic periods, it is very difficult to determine whether the world would be a better or worse place without it. Plenty of authors have speculated what the world would be like today without one of the grand tragedies of the past (WWII, the Black Plague, Montezuma...), rarely does the Single Change lead to a better life for all involved.

The fact of nation states using cyber means to achieve kinetic ends has been publicly known for two years. While Brian's book incrementally refines the attribution for Stuxnet I doubt very much if it is seen as revelatory by anyone who might take the news poorly.

Maybe an Israeli airstrike on Natanz would have had less impact on world affairs than Stuxnet, maybe more. In any case, this cat left the bag as far as most interested observers are concerned in 2010.

This shows how easy it is to sensationalize a story out of media propaganda, coincidences, and conspiracy theories.

I'm not saying the USA is not behind this, but there is no proof they are. I guess as long as the news can help sell a book the author doesn't really care what problems this causes.

The title is also interesting. The article and book say that the program started under Bush, so why call out Obama in the title? Easy - it's more relevant to marketing/selling.

The whole thing feels like it is a way to make money off of so buzz words, fear, uncertainty, and playing to people against Obama.

I'd just worry what type of retaliations this may cause. Whether the claim is true or not, the attention or belief it may cause could stir up problems and lead to more cyberattacks in response that we will all have to deal with.

I completely agree that there is no hard proof on this story. However considering the subject of the story (covert actions against another country) I would be more surprised if there was proof. What impressed me was the consistency of some of the technical details - considering that Sanger is not a computer security expert, he got very good technical briefings on Stuxnet from somewhere.

That said, I think your last point is spot on - other countries (especially countries that find the concept of a free press not controlled by the government rather novel) will take this as proof enough.

To close, I think this quote from Stewart Baker, (former senior official at NSA) is fitting: “We've been living in a glass house for years and now we've decided we're going to invent rocks."